Underground Escrow Marketplaces Fuel $27B Cybercrime Economy on Telegram
Between 2021 and 2025, a sprawling illicit economy processed over $27 billion in cryptocurrency, leveraging an escrow system modeled after legitimate e-commerce platforms like Alipay. Operating primarily on Telegram, these Chinese-language "guarantee" marketplaces have become the backbone of global cybercrime, facilitating the trade of stolen enterprise credentials, money laundering services, and corporate impersonation tools.
The system mirrors traditional escrow models: a marketplace operator holds the buyer’s cryptocurrency (typically USDT/Tether) until the seller delivers the illicit goods whether stolen data, fraud kits, or deepfake services. Disputes are resolved by the operator, with vendors required to post security deposits to deter scams. Telegram bots automate transactions, enabling scalability with minimal human oversight.
Huione Guarantee dominated this space until a May 2025 crackdown including U.S. Treasury sanctions and a Telegram ban disrupted its operations. Instead of collapsing, the market fragmented, with over 30 successor platforms (e.g., Tudou, Ouyi) emerging. Some operators have even developed proprietary messaging apps like ChatMe to evade law enforcement.
This infrastructure directly supports Southeast Asian scam compounds, which inflicted $5.8 billion in reported losses on U.S. victims in 2024 alone. Beyond consumer fraud, these marketplaces supply cybercriminals with stolen employee credentials, fake IDs, and NFC-relay fraud kits, posing a growing threat to corporate networks. The ecosystem’s resilience underscores its role as a critical enabler of large-scale cybercrime.
Source: https://cyberpress.org/stolen-credentials-sold-online/
Huione Life Insurance cybersecurity rating report: https://www.rankiteo.com/company/huione-life-insurance
"id": "HUI1781173501",
"linkid": "huione-life-insurance",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Illicit finance',
'location': 'Global (Chinese-language operators)',
'name': 'Huione Guarantee',
'type': 'Cybercrime marketplace'},
{'industry': 'Illicit finance',
'location': 'Global',
'name': 'Tudou',
'type': 'Cybercrime marketplace'},
{'industry': 'Illicit finance',
'location': 'Global',
'name': 'Ouyi',
'type': 'Cybercrime marketplace'},
{'customers_affected': 'U.S. victims ($5.8B losses in '
'2024)',
'industry': 'Fraud',
'location': 'Southeast Asia',
'name': 'Southeast Asian scam compounds',
'type': 'Cybercrime operation'}],
'attack_vector': ['Telegram-based automation', 'Cryptocurrency transactions'],
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Stolen enterprise credentials',
'Fraud kits',
'Fake IDs']},
'date_publicly_disclosed': '2025-05',
'description': 'Between 2021 and 2025, a sprawling illicit economy processed '
'over $27 billion in cryptocurrency, leveraging an escrow '
'system modeled after legitimate e-commerce platforms like '
'Alipay. Operating primarily on Telegram, these '
"Chinese-language 'guarantee' marketplaces facilitated the "
'trade of stolen enterprise credentials, money laundering '
'services, and corporate impersonation tools. The system '
'mirrored traditional escrow models, with marketplace '
'operators holding cryptocurrency until illicit goods were '
'delivered. Telegram bots automated transactions, enabling '
'scalability with minimal human oversight. Huione Guarantee '
'dominated this space until a May 2025 crackdown, including '
'U.S. Treasury sanctions and a Telegram ban, disrupted its '
'operations. The market fragmented into over 30 successor '
'platforms (e.g., Tudou, Ouyi), some developing proprietary '
'messaging apps like ChatMe to evade law enforcement. This '
'infrastructure supports Southeast Asian scam compounds, which '
'inflicted $5.8 billion in reported losses on U.S. victims in '
'2024 alone, and supplies cybercriminals with stolen employee '
'credentials, fake IDs, and NFC-relay fraud kits.',
'impact': {'data_compromised': ['Stolen enterprise credentials',
'Fake IDs',
'Fraud kits'],
'financial_loss': '$27 billion (2021-2025)',
'identity_theft_risk': 'High',
'operational_impact': 'Enabled large-scale cybercrime operations',
'payment_information_risk': 'High',
'revenue_loss': '$5.8 billion (U.S. victims in 2024)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Stolen enterprise '
'credentials, fraud kits'},
'lessons_learned': 'Cybercrime infrastructure is highly resilient, with '
'fragmented successor platforms emerging after crackdowns. '
'Escrow-based marketplaces enable scalable illicit trade '
'with minimal oversight.',
'motivation': ['Financial gain', 'Fraud enablement'],
'post_incident_analysis': {'corrective_actions': ['Sanctions on marketplace '
'operators',
'Disruption of '
'Telegram-based operations',
'Development of proprietary '
'messaging apps by '
'cybercriminals to evade '
'detection'],
'root_causes': ['Lack of oversight in '
'cryptocurrency transactions',
"Telegram's automation "
'capabilities enabling scalability',
'High demand for illicit '
'goods/services']},
'recommendations': ['Enhanced monitoring of cryptocurrency transactions',
'International cooperation to disrupt cybercrime '
'marketplaces',
'Public awareness campaigns on fraud risks'],
'regulatory_compliance': {'legal_actions': ['U.S. Treasury sanctions']},
'response': {'containment_measures': ['Sanctions', 'Telegram ban'],
'law_enforcement_notified': 'U.S. Treasury'},
'threat_actor': ['Chinese-language cybercriminal groups',
'Southeast Asian scam compounds'],
'title': 'Underground Escrow Marketplaces Fuel $27B Cybercrime Economy on '
'Telegram',
'type': ['Cybercrime Infrastructure', 'Escrow-Based Marketplace']}